Blogs

AppScan Tricks And Tools

About this blog

Forum for those Learning about Leading IBM Application Security Tricks, Scripts and Tools and Kits for AppScan Source for Analysis ...Customizing, Integrating, Sniffing, Snooping and Hijacking your way to joy.

Tags

** Re-posting this entry from the Message Board **
IBM Security Systems Has All The Artillery To Dominate the Security Battlefield It just needs to be deployed properly.. → Some factors that may explain the current state of the application security maturity [extremely low]: Development organizations
continue to lack the necessary security training and processes to
translate 'security requirements' into a secure design with
appropriate unit tests.
The intense pace development of
new technologies and migration of... [More]

Following my previous venture, more
accurately 'wander', into Extending WAFL - ASP.NET MVC and a very
cool, tangential trip off into Continuous Integration Land , I'm now
re-gaining focus on using the AppScan Source Framework-4-Frameworks
(F4F) APIs to write support for handling the ASP.NET MVC 3.0 framework.
As detailed in this post by Dinis Cruz: AspNet Support In Sast And IBM-F4F There are several, non-trivial, pieces to constructing
the full data flow picture of a modern MVC application and ASP.NET
MVC 3.0 contains a particular... [More]

Last Episode: After having configured
our Continuous Integration platform, Team City, and integrating GitHub
as both the source code control system as well as the eventual build and scanning
artifact repository, we were able to properly trigger an Ant build of a
simple application by committing (or 'pushing' in Git terminology) the application and it's build files to
a predetermined public repository.
Here And Now: Our Prototype-tagonists are tasked with the integration of AppScan Source Scanning into the environment. By either adding... [More]

This post will be the first in a series
dedicated to providing initial support for a very common .NET
framework in use today, the ASP.NET MVC – specifically version 3.0 http://www.asp.net/mvc/mvc3 The lack of AppScan Source visibility
into this framework and any applications built using it was first
described in depth in this post by Dinis Cruz:
ASP.NET MVC Support in SAST and IBM F4F Given that there currently is not WAFL
support, i.e. a WAFL Generator has not yet been created to identify
the various constructs that need WAFL rules... [More]

I want to interrupt the normal technical programming on this channel to interject something of true importance to me: SNOWBOARDING Here is a link to a video I threw together over the Holiday break of a couple of days of powder in some tight trees in Vermont. This one should stream directly to an iPhone: East Coast Prowler - m4v And here is an HD version, should play as a Quicktime object if opened on a Mac, otherwise I would suggest VLC or another everything-player on Windows. East Coast Prowler HD - mov Enjoy. -_- I4n

One of the main
advantages of having a full Continuous Integration environment
integrated with the security scanning tools, all running together on
a central server (pronounced “Mainframe”) is the ability for
customization to take place, such as the initial phase of Support
for ASP.NET MVC 3.0 , and immediately be made available to the
entire enterprise.
In this scenario,
a key aspect to take into consideration is the fact that the product
integration, installation of the development / run time
environments and SDKs, as well as the... [More]

To illustrate a real world
application for the technique described in Application Injection, we
are going to use the O2 REPL functionality to modify the running
process, in real-time, to add a Source Edition Results Plug-in to
AppScan Standard.
The resulting prototype is a way to
display and map Static and Dynamic Analysis results for a given
application that allows for a very interesting perspective - one that
highlights the strengths and weaknesses of both technologies and
allows for a deeper and more accurate investigation.
... [More]

Getting back to the task of adding
support for the ASP.NET MVC framework and following the advice of the
architects of the language:
“ Details
of writing and deploying an F4F handler that uses the F4F high-level
APIs are described in the AppScan Source document
Security_AppScan_Source_Utilities.pdf shipped with the product. See
Chapt. 7. “ Hence it seems that we shall create a
new F4F Handler (also known around town as a 'WAFL Generator') –
which is the mechanism by which the .wafl files are created during
each scan for use by... [More]

As detailed in my previous post The AppScan Appliance - Design and Architecture I noted several components that I consider crucial steps in the
development of the AppScan Appliance Proof of Concept. One of the
first major milestones will be the creation of a web-based portal where AppScan Source scans can be triggered and the results viewed.
Ideally this portal will be the front
end for a Continuous Integration environment which itself will be
integrated with a Version Control System (VCS) used not only for acquiring
the source code... [More]

Here is a pretty funny and / or really serious
(depending on your frame of reference) utility that exploits a low
level SMTP vulnerability by design. In effect, this allows one to send an email FROM ANY
ADRESS, as long as the domain doesn't actually exist. That may sound
like a tough restriction but I can testify that anything from a
realistic sounding new division name, theoretically something like
myboss@security.us.ibm.com ,
has a very high potential of being opened.
Link to the Utility in a Standalone Executable (with a cool... [More]

The AppScan Appliance – Proof Of
Concept Architecture and Application Security Process Following some great feedback I
received on my previous post regarding the concept of an AppScan Security Appliance, How The Mainframe Can Transform Application Security , I want to further define a
potential high level architecture along with a set of processes for
integration into the application development life cycle. The goal here is to
start down the path towards a Proof Of Concept including a prototype in order to demonstrate what I believe will... [More]

"Application Injection" is a term that I coined last year at DefCon for a technique first demonstrated to me there. Sitting in the front row of a rowdy, fun crowd at one of the last talks (shots, shots for the speaker!) of the conference, I watched in amazement as it was shown to me how to start an application, hook into it's process, grab a reference to the main form and then inject a full scripting and compilation environment directly into the application. This of course was happening, not at the podium, but directly beside me, as... [More]

In his recent post on obtaining the various installation packages for a complete installation of the AppScan product suite: AppScan Eval Downloads and What is What Dinis makes a good point about the confusion that one can encounter when moving from earlier versions (pre-8.5) of AppScan Source and AppScan Enterprise to 8.6.x and does a pretty solid job of explaining the line in a bit more detail. To help out with his one point of confusion, regarding the Dynamic Analysis module, I gave him a bit of an insider explanation, which may be useful... [More]

As promised in the overview of this
blog, I am going to being demonstrating / releasing some utilities
that push the limits of what is normally considered possible in a
windows environment.
This should be considered both an
effort to educate the general public about the pace at which security
is changing (where exactly is the sandbox now??) and also to shed some light
on the power of the O2 Platform , since it seems to me that right now may be one of the rare times in the 'application security arms race', where The Developers Have A... [More]